Articles

CVE-2026-8543CVE-2026-8541

Chrome 148.0.7778.168 Patches Two High-Severity OOB Read Flaws

Google Chrome 148.0.7778.168 fixes CVE-2026-8543 and CVE-2026-8541 — two high-severity out-of-bounds read vulnerabilities in FileSystem and UI components on Mac and all platforms.

4 min read

Chrome 148 Patches AI Site Isolation Bypass, Android Payment Flaw

CVE-2026-8568CVE-2026-8566

Chrome 148 Patches AI Site Isolation Bypass, Android Payment Flaw

CVE-2026-8568 (CVSS 3.1) lets attackers bypass Chrome Site Isolation via AI features after renderer compromise; CVE-2026-8566 (CVSS 4.3) targets Android Payments.

Chrome 148 Patches ANGLE Data Leak, Google Lens UAF

CVE-2026-8556CVE-2026-8550

Chrome 148 Patches ANGLE Data Leak, Google Lens UAF

Google fixed CVE-2026-8556 (ANGLE cross-origin leak) and CVE-2026-8550 (Google Lens use-after-free) in Chrome 148.0.7778.168 for Windows. Both flaws require a compromised renderer.

4 min read

Fleet Patches API Rate-Limiting Bypass via IP Spoofing

Fleet Patches API Rate-Limiting Bypass via IP Spoofing

CVE-2026-46356: Unauthenticated attackers can bypass Fleet's API rate limiting by spoofing True-Client-IP headers, enabling brute-force login attempts on exposed instances.

CVE-2026-46356

libsixel NULL Pointer Dereference CVE-2026-44638 Gets Low CVSS

LOW

libsixel NULL Pointer Dereference CVE-2026-44638 Gets Low CVSS

CVE-2026-44638: libsixel 1.8.7-r1 and earlier has a NULL pointer dereference in sixeldecoderaw and sixel_decode due to a wrong NULL check after malloc. CVSS 2.5.

CVE-2026-44638

MCP Registry OIDC Flaw CVE-2026-44428 Lets Attackers Hijack GitHub

MEDIUM

MCP Registry OIDC Flaw CVE-2026-44428 Lets Attackers Hijack GitHub

CVE-2026-44428 (CVSS 4.7) in the MCP Registry before 1.7.6 lets attackers reuse stolen GitHub OIDC tokens across registry instances, enabling unauthorized server publishing and...

CVE-2026-44428

4 min read

Medical Management System Flaw Lets Attackers Reset Any Password

MEDIUM

Medical Management System Flaw Lets Attackers Reset Any Password

CVE-2025-67437 (CVSS 6.5) in an unnamed Medical Management System allows unauthenticated password reset via insecure permissions. No patch released.

CVE-2025-67437

Open WebUI Patches Three Flaws: XSS, SVG Injection, Auth Bypass

CVE-2026-45314CVE-2026-45303CVE-2026-44567

Open WebUI Patches Three Flaws: XSS, SVG Injection, Auth Bypass

Open WebUI fixes CVE-2026-45314 (SVG XSS), CVE-2026-45303 (iframe script injection), and CVE-2026-44567 (pending role auth bypass) — all in self-hosted AI platform.

5 min read

Secret Blizzard Upgrades Kazuar Backdoor Into P2P Botnet

3 min readSecret Blizzard

MalwareMay 16, 2026

Secret Blizzard Upgrades Kazuar Backdoor Into P2P Botnet

Secret Blizzard evolved Kazuar into a modular P2P botnet with 150 config options, AMSI/ETW bypass, and silent-mode nodes. Microsoft details the three-module architecture.

Silicon Labs SixG301xxx DPA Countermeasure Flaw Weakens Crypto Keys

Silicon Labs SixG301xxx DPA Countermeasure Flaw Weakens Crypto Keys

CVE-2025-14972: Silicon Labs SixG301xxx devices use non-random DPA countermeasures in the SYMCRYPTO engine, enabling key recovery. Affects KSU keys.

CVE-2025-14972

ZITADEL LDAP Filter Injection CVE-2026-44671 Allows Unauthenticated

ZITADEL LDAP Filter Injection CVE-2026-44671 Allows Unauthenticated

CVE-2026-44671 (CVSS 7.5): ZITADEL identity platform fails to escape usernames in LDAP filters, letting unauthenticated attackers inject arbitrary filter logic during login.

CVE-2026-44671

Aegra IDOR CVE-2026-44504 Exposes Cross-Tenant Data in Shared

VulnerabilitiesMay 15, 2026

Aegra IDOR CVE-2026-44504 Exposes Cross-Tenant Data in Shared

CVE-2026-44504: Aegra prior to 0.9.7 allows authenticated attackers to read checkpoint state and inject messages into other users' threads via cross-tenant IDOR. Patch available.

CVE-2026-44504